Creating a Self-Signed Identity Certificate Object

This procedure describes steps for generating a self-signed certificate for your ASA by entering the appropriate certificate field values in a wizard. You can generate as many self-signed certificates as you want.

To create a Self-Signed identity certificate object, perform the following steps:

Procedure


Step 1

In the left pane, click Objects > ASA Objects.

Step 2

Click and select ASA > Trustpoints.

Step 3

Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.

Step 4

In the Identity Certificate step, select Identity Certificate.

Step 5

In the Import Type step, select New to upload the certificate file and click Continue.

Step 6

In the Enrollment step, select Self-Signed and click Continue.

The Certificates Content step appears. Read Self-Signed and CSR Certificate Generation Based on Certificate Contents to understand the CN and SANS content in the Self-Signed certificate that is being generated.

Step 7

In the Certificate Contents step, configure the following:

  • Country (C)— Select the country code from the drop-down list.

  • State or Province (ST)—The state or province to include in the certificate.

  • Locality or City (L)—The locality to include in the certificate, such as the name of the city.

  • Organization (O)—The organization or company name to include in the certificate.

  • Organizational Unit (Department) (OU)—The name of the organization unit (for example, a department name) to include in the certificate.

  • Common Name (CN)—The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN.

  • Email Address (EA)— The e-mail address associated with the identity certificate.

  • IP Address— The ASA IP address on the network in four-part, dotted-decimal notation.

  • Device's FQDN— An unambiguous domain name, to indicate the position of the node in the DNS tree hierarchy.

  • Include Device's Serial Number— Select the check box if you want to add the ASA serial number to the certificate parameters.

  1. Click the Key tab.

    • Choose the RSA or ECDSA key type.

    • Key Size: If the key pair does not exist, defines the desired key size (modulus), in bits. The recommended key size for RSA is 1024 and for ECDSA is 348. The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged.

    • Click Continue.

Step 8

In the Advanced Options step, you can configure the following:

In the Revocation tab, you can configure the following:

  • Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.

    By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.

    Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.

  • Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.

    OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

    Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.

    Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.

  • Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.

    For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.

Click the Others tab:

  • Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA.

    • IPSec Client — Validates certificate presented by remote SSL servers.

    • SSL Client — Validates certificates presented by incoming SSL connections.

    • SSL Server — Validates certificates presented by incoming IPSec connections.

  • Use Identity Certificate for — Specify how the enrolled ID certificate can be used.

    • SSL & IPSec — Use for authenticating SSL & IPSec connections

    • Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin.

  • Other Options:

    • Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate i

    • Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA.

    • Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.

Step 9

Click Add.